Continued innovation further strengthens BitSight’s core offerings and enables easy integration into vendor risk practices and processes.
Date: March 3, 2015
BitSight Technologies, the standard in Security Ratings, today announced significant enhancements to its innovative Security Ratings product line. The update expands the breadth of data available, enhances integrations with existing tools and processes, and positions BitSight as the most comprehensive Security Ratings platform on the market.
“The BitSight Platform provides independent and objective security risk metrics with dashboards that I can share with my executive team as well as detailed forensics for my technical staff,” states the Director of Security at a leading healthcare technology firm. “BitSight continues to innovate, and we adopt new capabilities as soon as they are provided because they reveal actionable information that serves to further strengthen our security program. “
Enhancements to the Security Ratings Platform include:
Operationalization within Enterprise Vendor Risk Practices:
- API: BitSight Security Ratings are now available via an API, enabling integration into existing vendor risk management and security tools and processes, such as MSSP Security Operations Centers; GRC software platforms like Brinqa and RSA Archer; as well as bespoke security and GRC compliance dashboards.
- Responsible Disclosure & Forensics: Responsible disclosure features have also been enhanced to accompany new sensitive forensics information. Through BitSight’s forensics, customers have information on compromised IP addresses, malware server names, destination IP addresses, ports, host names and more for their own network. If a customer’s vendor has issues, BitSight will grant temporary portal access with detailed analytics to a company’s third party for remediation of those issues.
- Risk Vector Letter Grades: Each of the 13 risk vectors in the portal are now graded (A-F) based on that company’s performance relative to companies of similar size, allowing companies to prioritize actions, identify key areas of improvement, and communicate more effectively with their vendors.
Data Breadth: BitSight continues to strengthen the data breadth, quality, and innovation that go into Security Ratings by leveraging new, high quality data from exclusive contracts with well-respected sources. New data sources include:
- Diligence Risk Vectors: BitSight has incorporated a new class of Diligence Risk Vectors into Security Ratings, which are centered on checking security configurations including Application Security, Open Ports, TLS/SSL Certificates, DNSSEC Records and more.
- With Application Security, BitSight now offers customers insight into the security practices of their third parties’ websites, and provides a strong tactical tool for security teams to audit their own organization’s security headers. If a webserver doesn't set the HTTP Strict Transport Security header properly, the clients who connect to it will end up communicating over the insecure HTTP protocol, instead of HTTPS, which can lead to the client exposing their credentials to a third party observer.
- Open Ports gives customers visibility into software services on a company's network that are typically private but are publicly available on the Internet, such as MySQL. If a MySQL port is open and accessible with default credentials, an outsider may be able to access intellectual property from a corporate database.
- Email authentication: As part of its diligence risk vectors, BitSight has also incorporated into ratings DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), which check configurations designed to prevent unauthorized servers from sending email on behalf of a domain, i.e. spear phishing. Poor SPF configurations contributed to the recent Anthem breach, emphasizing the importance of assessing your supply chain for good phishing controls.
- File Sharing (Torrents): The BitSight Platform now includes torrent information. This important new data reveals IPs that are sharing and downloading popular torrents on the BitTorrent network – peer-to-peer file sharing used to distribute large amounts of data over the Internet. The torrents cover a broad range of categories such as music, movies, unlicensed software applications and questionable or illegal content – much of which is not allowed per corporate policies and could cause potential harm to a company’s security posture.
Instant Search and Add:
- Customers can now instantly search BitSight’s large inventory for a company to add to their portfolio, allowing for immediate access to rating details.
“BitSight continues to demonstrate innovation and leadership in the security ratings industry, giving companies visibility and control into the security practices of their partner ecosystem” said Stephen Boyer, CTO and co-founder of BitSight Technologies. “We are pioneering a new way to manage cyber risks across the extended enterprise, and our new features will deepen the level of understanding for customers across a wide-range of industries.”
Today’s enterprises require a complete picture of their own security postures and that of their third parties. A new study, conducted by Forrester and commissioned by BitSight, revealed that while roughly 59 percent of IT security decision-makers wish to track the security effectiveness of third parties, only 2 percent monitor on a monthly basis. To learn more about the findings from this study, click here: http://bitsig.ht/1FyU3Au
About BitSight Technologies
BitSight Technologies is transforming how companies manage information security risk with objective, evidence-based security ratings. The company's Security Rating Platform continuously analyzes vast amounts of external data on security behaviors in order to help organizations manage third party risk, benchmark performance, and assess and negotiate cyber insurance premiums. Based in Cambridge, MA, BitSight is backed by the National Science Foundation, Commonwealth Capital Ventures, Flybridge Capital Partners, Globespan Capital Partners, and Menlo Ventures. For more information, please visit www.bitsight.com or follow @BitSight on Twitter.